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United  States  General  Accounting  Office 
Washington,  D.C.  20548 


Resources,  Community,  and 
Economic  Development  Division 


B-284303 

February  24,  2000 

The  Honorable  Thomas  J.  Bliley,  Jr. 

Chairman,  Committee  on  Commerce 
House  of  Representatives 

Dear  Mr.  Chairman: 

The  Department  of  Energy  (DOE)  is  responsible  for  the  nation’s  nuclear 
weapons  program  and  owns  a  number  of  facilities  to  carry  out  classified 
weapons-related  activities.  These  facilities  are  operated  for  DOE  by 
contractors  who  are  responsible  for  protecting  classified  information, 
nuclear  materials,  nuclear  weapons,  and  nuclear  weapons  components. 
DOE  provides  oversight  over  the  contractor’s  safeguards  and  security 
program  to  ensure  that  protection  is  provided  consistent  with  DOE’s 
requirements  and  standards.  Over  the  past  few  years,  a  number  of  reports 
and  incidents  have  indicated  that  there  are  problems — including  computer 
security  and  the  control  of  foreign  visitors— at  DOE’s  facilities  and 
laboratories.  Over  the  years  the  laboratories  have  also  been  targets  for 
espionage. 

To  ensure  that  problems  are  identified  and  promptly  resolved,  you 
requested  that  we  evaluate  DOE’s  activities  for  safeguards  and  security 
oversight  at  DOE’s  Los  Alamos  National  Laboratory  and  Lawrence 
Livermore  National  Laboratory  DOE’s  Office  of  Independent  Oversight  and 
Performance  Assurance  and  the  Department’s  operations  offices  primarily 
conduct  these  activities.  As  agreed  with  your  office,  this  report  discusses 
(1)  the  monitoring  and  tracking  of  findings  resulting  from  DOE’s  oversight 
activities;  (2)  the  correction,  validation,  and  closing  of  findings  resulting 
from  such  activities;  and  (3)  the  consistency  of  various  DOE  assessments 
of  the  laboratories’  safeguards  and  security  programs. 


Results  in  Brief  doe’s  office  of  Security  and  Emergency  Operations— the  safeguards  and 

security  policy  organization  within  DOE’s  headquarters — maintains  a 
centralized  management  information  system  to  track  and  monitor 
safeguards  and  security  findings  and  the  related  corrective  actions.  This 
system  would  be  of  more  value  if  it  contained  information  on  all  security 
findings.  The  findings  developed  from  1995  through  1998  by  the 
independent  oversight  organization  at  DOE’s  headquarters — the  Office  of 


Page  3 


GAO/RCED‘00-62  DOE’s  Safeguards  and  Security  Oversight 


B-284303 


Independent  Oversight  and  Performance  Assurance — are  not  included  in 
the  system  nor  are  the  findings  and  recommendations  developed  by  GAO 
and  other  outside  organizations,  such  as  congressional  committees  and 
special  review  teams.  In  addition,  the  system  is  not  directly  accessible  by 
safeguards  and  security  staff  at  DOE’s  area  offices  and  the  laboratories. 
Each  laboratory  has  developed  its  own  information  system,  which  contains 
data  on  all  the  findings  that  relate  to  it.  As  a  result,  information  about 
problems  at  one  location  is  not  available  to  safeguards  and  security  staff  at 
other  locations.  Such  information  would  help  the  staff  avoid  similar 
problems  and  improve  their  safeguards  and  security. 

DOE  requires  that  the  laboratories  conduct  a  risk  assessment,  a  root  cause 
analysis,  and  a  cost-benefit  analysis  as  part  of  their  process  to  correct 
safeguards  and  security  problems  found  by  DOE’s  oversight  activities. 
These  analyses  help  to  ensure  that  problems  with  safeguards  and  security 
are  corrected  in  an  economic  and  efficient  manner.  Despite  their 
importance,  these  assessments  and  analyses  have  not  always  been 
conducted.  While  the  Lawrence  Livermore  National  Laboratory  generally 
complied  with  DOE’s  requirements,  the  Los  Alamos  National  Laboratory 
has  historically  not  conducted  risk  assessments  and  cost-benefit  analyses 
at  all  and  has  performed  root  cause  analyses  for  only  about  two-thirds  of 
the  findings.  In  1998,  the  Los  Alamos  National  Laboratory  began  requiring 
formal,  documented  root  cause  analyses  for  all  findings.  In  addition,  the 
Independent  Oversight  Office  is  not  required  to  and,  in  the  past,  has 
generally  not  worked  with  the  laboratories  to  develop  corrective  action 
plans  for  its  safeguards  and  security  findings.  Also,  the  Independent 
Oversight  Office  is  not  required  to  validate  the  corrective  action,  verify  that 
the  problem  was  corrected,  and  certify  that  its  findings  were  closed  and 
has  not  been  formally  involved  in  these  activities.  As  a  result,  there  was  no 
assurance  that  the  problem  was  understood,  adequately  corrected,  and 
closed.  During  the  past  year,  the  Independent  Oversight  Office  has  worked 
with  the  laboratories  to  develop  corrective  action  plans  and  has  conducted 
follow-up  reviews  of  its  findings  that  are  being  corrected,  validated, 
verified,  or  closed  by  the  operations  offices.  However,  the  Independent 
Oversight  Office  still  does  not  become  involved  in  validating  and  verifying 
corrective  actions  and  certifying  that  findings  are  closed. 

From  1994  through  1999,  the  laboratories’  safeguards  and  security 
performance  has  received  many  inconsistent  ratings  from  oversight  and 
other  DOE  organizations.  During  a  given  year,  the  Los  Alamos  National 
Laboratory  received  ratings  ranging  from  marginal  to  excellent,  depending 
on  the  DOE  organization  conducting  the  assessment.  Likewise,  the 


Page  4 


GAO/RCED-00-62  DOE’s  Safeguards  and  Security  Oversight 


B-284303 


Lawrence  Livermore  National  Laboratory  received  ratings  ranging  from 
marginal  to  far  exceeds  expectations.  This  inconsistency  can  send  a  mixed 
and/or  erroneous  message  to  safeguards  and  security  policy  makers  and 
managers.  At  least  partially,  this  inconsistency  results  from  various 
organizations’  use  of  different  criteria  and  the  timing  of  the  rating.  DOE  has 
changed  the  rating  criteria  for  the  safeguards  and  security  contract 
performance  rating  for  2000.  These  changes  could  decrease  rating 
inconsistency  in  future  years. 

We  are  making  recommendations  to  improve  the  safeguards  and  securities 
activities  at  DOE’s  laboratories  and  to  formalize  oversight  improvements 
that  were  made  during  1999. 


Background 


DOE  has  numerous  contractor-operated  facilities  and  laboratories  that 
carry  out  DOE  s  various  programs  and  missions.  The  laboratories  conduct 
some  of  the  nation’s  most  sensitive  activities,  including  designing, 
producing,  and  maintaining  the  nation’s  nuclear  weapons;  conducting 
efforts  for  other  military  or  national  security  applications;  and  performing 
research  and  development  in  advanced  technologies  for  potential  defense 
and  commercial  applications.  Because  of  these  sensitive  activities,  these 
facilities — especially  the  laboratories — are  targets  of  foreign  espionage 
efforts. 
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Security  concerns  and  problems  have  existed  at  many  of  these  facilities 
since  they  were  created.  Recent  years  have  been  no  different.  In  1997, 
DOE’S  Office  of  Security  Affairs  issued  a  report  that  rated  safeguards  and 
security  at  some  facilities  and  laboratories  as  marginal  and  identified 
problem  areas  that  included  physical  security  and  accountability  for 
special  nuclear  material.^’^  In  April  1999,  all  computer  networks  (except  for 
those  performing  critical  safety  or  security  functions)  at  the  laboratories 
were  shut  down  because  of  concerns  about  inadequate  security.  During 
that  same  month,  we  testified  on  numerous  long-standing  safeguards  and 
security  problems,  including  ineffective  controls  over  foreign  visitors, 
weaknesses  in  efforts  to  control  and  protect  classified  and  sensitive 
information,  lax  physical  security  controls,  the  ineffective  management  of 
personnel  security  clearance  programs,  and  weaknesses  in  tracking  and 
controlling  nuclear  materials.^  In  December  1999,  a  scientist  at  the  Los 
Alamos  National  Laboratory  was  indicted  on  59  felony  counts  of 
mishandling  classified  information.  The  scientist  was  accused  of 
transferring  files  from  Los  Alamos’  secure  computer  system  to  computer 
tapes,  most  of  which  cannot  be  accounted  for. 

DOE  is  responsible  for  a  security  program  that  effectively  protects  against 
theft,  sabotage,  espionage,  terrorism,  and  other  risks  to  national  security  at 
its  facilities.  DOE  has  policies  and  procedures  to  protect  its  facilities, 
classified  documents,  data  stored  in  computers,  nuclear  materials,  nuclear 
weapons,  and  nuclear  weapons  components.  The  operating  contractors  at 
doe’s  facilities  are  responsible  for  implementing  these  safeguards  and 
security  policies  and  procedures.  To  ensure  that  these  policies  and 
procedures  are  followed  and  implemented,  DOE’s  Office  of  Independent 
Oversight  and  Performance  Assurance  (OA)  provides  independent 
oversight  of  the  effectiveness  of  policy  and  its  implementation.  The  field 
operations  offices  provide  line  management  direction  and  assess 
compliance  with  DOE’s  policy.  These  offices  play  a  critical  role  in  the  early 
detection  of  safeguards  and  security  problems  and  can  play  a  major  role  in 
the  timely  resolution  of  those  problems. 


‘See  Status  of  Safeguards  and  Security  for  1996  (Jan.  27, 1997). 

^The  Office  of  Security  Affairs  is  a  DOE  headquarters  organization  whose  functions  include 
establishing  safeguards  and  security  policies  and  providing  advice  and  assistance 
concerning  safeguards  and  security  programs. 

^See  Department  of  Energy:  Key  Factors  Underlying  Security  Problems  at  DOE  Facilities, 
(GAOT-RCED-99-159.  Apr.  20, 1999). 
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doe’s  operations  offices  are  the  line  organizations  accountable  for 
evaluating  the  laboratories’  safeguards  and  security  activities.  The  reason 
for  this  is  that  the  operations  offices  are  responsible  for  managing  the 
contracts  for  the  operation  of  DOE’s  facilities  and  for  ensuring  that  DOE’s 
policies,  procedures,  and  requirements  are  followed.  The  operations 
offices  are  required  to  conduct  an  annual  survey  of  the  adequacy  of  the 
operating  contractors’  safeguards  and  security  programs.  DOE’s 
Albuquerque  Operations  Office  is  responsible  for  the  Los  Alamos  National 
Laboratory  and  has  safeguards  and  security  staff  at  a  Los  Alamos  Area 
Office  to  provide  on-site  management  and  oversight.  DOE’s  Oakland 
Operations  Office  is  responsible  for  the  Lawrence  Livermore  National 
Laboratory  and  has  safeguards  and  security  staff  located  at  the  laboratory 
to  provide  a  day-to-day  presence. 

OA  provides  oversight  of  laboratory  safeguards  and  security  activities  from 
DOE’s  headquarters.  OA  is  an  “independent"  oversight  organization  that  is 
separate  from  the  line  management  structure,  conducts  safeguards  and 
security  inspections  of  DOE’s  facilities,  and  issues  reports.^  OA  has  existed 
in  various  forms  since  1982.  This  Office  was  originally  organized  under 
DOE’s  Office  of  the  Assistant  Secretary  for  Defense  Programs.  In  1990,  the 
Office  of  Security  Evaluations  was  moved  to  DOE’s  Office  of  the  Assistant 
Secretary  for  Environment,  Safety,  and  Health.  In  1999,  the  Office  of 
Security  Evaluations  became  OA,  which  reports  directly  to  the  Secretary  of 
Energy. 


^The  findings  in  OA  reports  have  been  referred  to  as  “issues”  in  some  OA  reports.  In  this 
report,  we  refer  to  all  OA  findings  as  “findings.”  OA  has  also  used  different  terms  for  the 
reviews  it  conducts,  including  “inspections,"  “evaluations,”  and  “site  profiles.”  In  this  report 
we  refer  to  all  OA  reviews  as  “inspections.” 
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Additional  organizations  have  provided  safeguard  and  security  oversight  as 
the  need  has  occurred.  For  example,  DOE’s  Office  of  Counterintelligence 
evaluates  counterintelligence  activities  at  DOE’s  facilities,  and  DOE’s 
operating  contractors  at  the  laboratories  conduct  annual  self-assessments 
of  the  quality  of  their  safeguards  and  security  programs.  In  addition,  the 
contractors  also  have  internal  audit  organizations  that  review  aspects  of 
the  safeguards  and  security  programs.  GAO  and  DOE’s  Office  of  Inspector 
General  also  evaluate  selected  safeguards  and  security  activities.  Finally, 
outside  organizations  have  also  reviewed  the  laboratories’  safeguards  and 
security  activities.^  However,  OA  and  the  operations  offices  are  the  only 
DOE  organizations  responsible  for  continuing  oversight  of  safeguards  and 
security  activities  at  the  laboratories. 


DOE  Lacks  a 
Comprehensive 
Tracking  System  for 
Safeguards  and 
Security  Findings 


DOE  and  the  contractors  that  operate  the  Los  Alamos  National  Laboratory 
and  the  Lawrence  Livermore  National  Laboratory  use  a  number  of 
information  systems  to  track  safeguards  and  security  findings  that  have 
been  made  by  DOE’s  oversight  organizations.  DOE  headquarters’  Office  of 
Security  and  Emergency  Operations  maintains  the  Safeguards  and  Security 
Information  Management  System,  and  the  contractors  that  operate  the  Los 
Alamos  National  Laboratory  and  the  Lawrence  Livermore  National 
Laboratory  maintain  their  own  information  systems.  These  systems, 
however,  do  not  include  information  on  all  the  safeguards  and  security 
findings,  are  not  accessible  by  all  necessary  personnel,  and/or  are  not 
capable  of  interfacing  with  each  other. 

No  single  information  system  maintained  by  DOE  and  the  laboratories 
contains  information  on  all  the  safeguards  and  security  findings  at  the 
laboratories.  DOE’s  Safeguards  and  Security  Information  Management 
System  contained  information  on  all  OA  and  operations  office  survey 
safeguards  and  security  findings  and  corrective  action  plans  until  1995. 
Although  a  memo  dated  August  15,  1995,  from  the  Director  of  the  Office  of 
Safeguards  and  Security  required  that  OA’s  findings  be  entered  in  the 
system,  from  1995  to  1998,  information  on  OA’s  findings  and  related 
corrective  action  plans  was  not  included  in  the  system.  Because  OA  did  not 
highlight  or  number  the  findings  in  its  reports,  the  staff  responsible  for 


^In  January  1999,  a  special  security  review  team  issued  an  Internal  Report  to  the  Secretary, 
Special  Security  Review  Also,  in  January  1999,  a  House  of  Representatives  Select 
Committee  issued  a  report  that  dealt  with  security  at  DDEs  facilities  entitled  U.S.  National 
Security  and  Military/Commercial  Concerns  With  the  People’s  Republic  of  China, 
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correcting  safeguards  and  security  problems  could  not  easily  identify  the 
findings  and  enter  them  into  the  information  systems.  In  1999,  OA  changed 
its  inspection  report  format  to  more  clearly  identify  its  findings,  and  OA’s 
findings  are  now  being  included  in  the  Safeguards  and  Security  Information 
Management  System.  However,  the  Safeguards  and  Security  Information 
Management  System  has  never  included  information  related  to  the  findings 
made  by  organizations  other  than  OA  and  the  operations  offices,  such  as 
GAO,  DOE’S  Office  of  Inspector  General,  and  DOE’s  Office  of 
Counterintelligence. 

At  both  the  Los  Alamos  National  Laboratory  and  Lawrence  Livermore 
National  Laboratory,  the  operating  contractors  maintain  their  own 
computerized  information  systems.  These  systems  contain  findings  and 
corrective  action  information  for  OA’s  findings  (from  1995  through  1998, 
OA’s  findings  that  the  laboratories  could  identify  were  included  in  their 
systems),  the  operations  offices’  survey  findings,  the  findings  from  self- 
assessments  performed  by  the  contractors  or  internal  audits,  and  the 
findings  from  any  other  source  that  the  contractor  is  aware  of.  For 
example,  the  Los  Alamos  National  Laboratory’s  safeguards  and  security 
officials  informed  us  that  because  DOE  lacked  a  comprehensive 
information  system,  the  laboratory  developed  its  own  information  system. 
Los  Alamos’s  system  includes  virtually  every  known  security  problem  at 
the  laboratory  and  provides  a  management  tool  to  ensure  that  problems  are 
addressed  and  tracked  to  closure.  However,  the  laboratories’  information 
systems  include  only  those  findings  related  to  their  laboratory  and  do  not 
include  findings  for  other  DOE  facilities.  In  addition,  these  systems  are  not 
compatible  with  the  Safeguards  and  Security  Information  Management 
System,  and  information  from  one  system  cannot  be  compared  or 
downloaded  between  systems. 

In  addition  to  not  including  all  findings,  the  Safeguards  and  Security 
Information  Management  System  is  not  readily  available  to  all  DOE  and 
contractor  personnel  that  have  a  legitimate  need  to  access  information  on 
safeguards  and  security  findings.  The  Safeguards  and  Security  Information 
Management  System  is  available  to  the  safeguards  and  security  staff  at 
DOE’s  headquarters  and  to  operations  office  personnel.  DOE’s  area-office 
staff  and  personnel  working  for  the  laboratories’  operating  contractor  who 
work  on  safeguards  and  security  issues  do  not  have  direct  access  to  the 
Safeguards  and  Security  Information  Management  System  and  must 
request  information  through  one  of  the  organizations  that  does  have  direct 
access.  Laboratory  officials  believe  that  access  to  a  centralized, 
comprehensive  system  would  facilitate  tracking  corrective  actions  and 
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would  enable  the  laboratories  to  use  information  from  other  facilities  to 
improve  their  safeguards  and  security  programs.  Information  about 
problems  at  one  facility  and  their  resolution  could  allow  managers  at  other 
facilities  to  avoid  similar  problems.  In  addition,  such  a  system  could  aid  in 
the  identification  of  the  most  cost-effective  actions  to  correct  safeguards 
and  security  problems  or  could  be  the  basis  for  trend  analyses  across 
laboratories. 

DOE  and  laboratory  officials  told  us  that  they  see  a  need  for  an  improved 
safeguards  and  security  information  system.  OA  officials  informed  us  that 
they  have  begun  a  dialogue  with  DOE’s  Office  of  Security  and  Emergency 
Operations  about  the  current  capabilities  and  deficiencies  of  the  system 
and  the  needs  for  information  from  the  system. 


Improvements  Needed 
in  Correcting  and 
Closing  Findings 


DOE  Order  470.1  requires  that  when  a  DOE  operations  office  or  OA  reports 
a  finding  that  raises  a  significant  security  vulnerability,  immediate  interim 
actions  must  be  taken  to  temporarily  mitigate  identified  risks.  After  such 
interim  actions  are  taken,  the  laboratories  analyze  the  finding  and,  within 
15  days,  develop  a  corrective  action  plan  to  permanently  correct  the 
findings.  As  part  of  the  permanent  corrective  action  plan’s  development, 
the  laboratory  must  conduct  a  risk  assessment,  root  cause  analysis,  and 
cost-benefit  analysis.  The  operations  office  validates  and  verifies  that  the 
survey  findings  have  been  corrected  and  certifies  closure  of  the  finding.  We 
found  that  the  Lawrence  Livermore  National  Laboratory  was  either 
conducting  the  required  analyses  or  providing  a  justification  of  why  the 
analyses  were  not  conducted.  The  Los  Alamos  National  Laboratory,  on  the 
other  hand,  was  not  conducting  formal  risk  assessments  or  cost-benefit 
analyses  at  all  and  was  conducting  root  cause  analyses  in  only  about  two- 
thirds  of  the  findings  we  reviewed.  In  addition,  until  recently,  OA  was  not 
formally  involved  in  the  development  of  corrective  action  plans  for  OA’s 
safeguard  and  security  findings.  While  follow-up  inspections  are  now  being 
conducted,  OA  has  not  been  involved  in  the  validation,  verification,  and 
closure  of  those  findings. 


Formal  Corrective  Action 
Analyses  Have  Historically 
Not  Been  Performed 


DOE  Order  470,1  requires  that  corrective  actions  developed  for  operations 
offices’  survey  findings  should  be  based  on  documented  risk  assessment, 
root  cause  analysis,  and  cost-benefit  analysis.  Risk  assessment  is  essential 
to  determine  the  risk  associated  with  an  identified  deficiency  in  prioritizing 
its  correction.  Root  cause  analysis  ensures  a  determination  of  the 
fundamental  and  contributing  causes  of  a  deficiency.  Cost-benefit  analysis 
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is  important  in  determining  whether  correcting  a  security  risk  is  worth  the 
cost  of  corrective  action.  Risk  assessments,  cost-benefit  analyses,  and  root 
cause  analyses  are  not  always  warranted  (as  explained  in  this  section) . 
However,  the  corrective  action  plan  process  should  include  a  formal 
determination  of  whether  these  analyses  are  warranted. 

We  reviewed  15  findings  related  to  safeguards  and  security  problems  at  the 
Los  Alamos  National  Laboratory  and  13  findings  related  to  safeguards  and 
security  problems  at  the  Lawrence  Livermore  National  Laboratory.  At  the 
Lawrence  Livermore  National  Laboratory,  risk  assessments,  root  cause 
analyses,  and  cost-benefit  analyses  had  been  performed  as  required.® 
However,  we  found  that  at  the  Los  Alamos  National  Laboratory,  not  all  the 
required  analyses  have  historically  been  performed  during  the  corrective 
action  process. 

Of  the  15  findings  at  the  Los  Alamos  National  Laboratory,  10  were  from  the 
Albuquerque  Operations  Office's  surveys,  and  5  were  from  OAs 
inspections.  These  findings  were  developed  from  1994  through  1999.  The 
Los  Alamos  National  Laboratory’s  safeguards  and  security  staff  did  not 
perform  root  cause  analyses  for  5  of  the  15  findings.  A  root  cause  analysis 
was  not  conducted  for  one  finding  because  the  finding  was  closed  while  the 
Albuquerque  Operation  Office  was  conducting  the  survey.  For  the  other 
four  findings,  laboratory  safeguards  and  security  officials  said  that  root 
cause  analyses  were  not  conducted  because  the  findings  occurred  before 
the  laboratory  required  that  root  cause  analysis  be  documented  in  1998. 
Our  review  of  the  four  findings  indicated  that  none  of  those  specific  . 
problems  were  identified  as  recurring  problems  in  subsequent  inspections 
and  surveys.  We  also  found  that  since  the  1998  requirement,  Los  Alamos 
was  documenting  root  cause  analyses  for  all  findings. 

Formal  risk  assessments  (or  justifications  for  not  doing  formal  risk 
assessments)  were  not  completed  for  any  of  the  15  Los  Alamos  National 


^Safeguards  and  security  staff  at  the  Lawrence  Livermore  National  Laboratory  did  not 
perform  risk  assessment,  root  cause  analyses,  and  cost-benefit  analyses  for  three  of  the 
findings  we  reviewed  because  they  were  findings  contained  in  OA’s  1997  Site  Profile,  and 
laboratory  staff  believed  that  the  issues  raised  were  not  formal  findings  and  that  corrective 
action  plans  were  not  required.  In  addition,  a  cost-benefit  analysis  was  not  performed  for 
one  Oakland  survey  finding  that  involved  the  use  of  a  certain  kind  of  lock  on  a  room  that 
contained  classified  printers.  The  laboratory’s  safeguards  and  security  staff  conducted  a  risk 
assessment  and  a  root  cause  analysis  for  this  finding  but  did  not  conduct  a  cost-benefit 
analysis  because  the  printer  room  had  been  eliminated  shortly  after  completion  of  the 
survey  and  the  finding  was  no  longer  applicable. 
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Laboratory  findings  that  we  reviewed.  The  Los  Alamos  National 
Laboratory’s  safeguards  and  security  officials  told  us  that  formal  risk 
assessments  are  not  conducted  because  the  laboratory  does  not  require 
them.  They  said  that  risk  assessments  have  been  conducted  informally 
immediately  upon  learning  that  a  safeguards  and  security  problem  has  been 
discovered  but  that  these  assessments  are  not  documented.  If  classified 
information  or  nuclear  material  is  at  risk,  the  official’s  first  priority  is  to 
ensure  that  adequate  compensatory  measures  are  put  into  place.  The 
laboratory’s  safeguards  and  security  officials  informed  us  that  they  rely 
heavily  on  risk  determinations  made  by  DOE’s  inspectors  during  the  course 
of  the  audit.  Since  we  completed  our  review,  laboratory  officials  informed 
us  that  they  have  required  that  formal  risk  assessments  be  completed  and 
documented  for  all  findings. 

Cost-benefit  analyses  were  also  not  completed  for  any  of  the  15  Los  Alamos 
National  Laboratory’s  findings  that  we  reviewed.  The  Los  Alamos  National 
Laboratory’s  safeguards  and  security  officials  told  us  that  they  did  not 
perform  any  cost-benefit  analyses  for  these  findings  because  the  majority 
of  the  findings  involve  compliance  with  DOE’s  regulations  and  must  be 
corrected  (e.g.,  marking  of  documents  and  submission  of  required 
paperwork) .  While  formal  cost-benefit  analyses  were  not  performed,  the 
safeguards  and  security  officials  said  that  they  informally  consider  the  cost- 
benefit  of  a  corrective  action  for  all  findings.  Exemptions  are  often 
requested  to  eliminate  the  need  for  expensive  corrective  actions  that  do  not 
significantly  improve  security. 

An  example  of  how  these  analyses  can  benefit  the  corrective  action 
process  involves  a  1999  OA  finding  that  appeared  to  require  the 
replacement  of  doors  to  special  nuclear  material  vaults  at  the  Lawrence 
Livermore  National  Laboratory.  DOE  requires  that  the  doors  and  walls  to  a 
vault  containing  special  nuclear  material  provide  the  same  protection  from 
unauthorized  entry.  For  this  finding,  Lawrence  Livermore  National 
Laboratory  officials  conducted  root  cause,  cost-benefit,  and  risk  analyses 
and  determined  that  the  new  vault  doors  would  cost  about  $200,000  and 
that  installing  them  would  cost  an  additional  $1  million,  without  providing 
a  significant  increase  in  security.  As  a  result,  instead  of  proceeding  with  the 
upgrade  to  close  the  finding,  in  November  1999,  Lawrence  Livermore 
National  Laboratory  officials  requested  a  variance  from  the  DOE 
requirement. 


Page  12 


GAO/RCED-00-62  DOE’s  Safeguards  and  Security  Oversight 


B-284303 


OA  Did  Not  Validate  or 
Certify  Closure  of  Its 
Findings 


DOE  s  operations  offices  follow  a  process  for  closure  of  safeguard  and 
security  findings  resulting  from  their  annual  surveys.  The  process  involves 
the  operations  offices  in  the  development,  validation,  and  verification  of 
the  corrective  action  and  the  closure  of  the  finding.  OA  is  not  required  to 
follow  and  has  not  followed  a  similar  process  for  safeguards  and  security 
findings  resulting  from  its  inspections.  Until  1999,  OA  was  not  formally 
involved  in  the  development,  validation,  and  verification  of  the  corrective 
actions  resulting  from  its  inspections  and  did  not  certify  that  the  findings 
were  closed.  The  operations  offices  performed  these  functions.  OA  officials 
told  us  that  they  believe  the  operations  offices — as  line  managers — are  the 
appropriate  organizations  for  conducting  these  functions  and  that,  in  most 
cases,  OA  (1)  was  aware  of  the  status  of  a  finding,  (2)  was  aware  of 
whether  or  not  a  laboratory  was  formally  addressing  it,  and  (3)  would 
evaluate  the  effectiveness  of  the  corrective  action  during  the  next 
inspection  of  the  facility.  We  believe  that  by  not  being  formally  involved  in 
the  corrective  action  process,  OA  was  not  able  to  ensure  that  the 
safeguards  and  security  finding  was  understood,  adequately  corrected,  and 
closed. 

Because  OA  did  not  get  involved  in  the  correction  of  findings,  the 
laboratories  were  not  always  aware  of  what  findings  existed.  In  addition, 
some  findings  were  never  corrected,  and  a  laboratory  corrected  a  “finding” 
that  OA  did  not  make.  For  example,  in  1998,  OA  issued  a  report  on  its 
review  of  aspects  of  safeguards  and  security  at  the  Lawrence  Livermore 
National  Laboratory  that  OA  believed  contained  eight  findings.  However, 
these  findings  were  not  clearly  identified.  Of  those  eight  findings,  six  were 
identified  by  the  laboratory  when  it  reviewed  the  report.  The  two  findings 
identified  by  OA  and  not  by  the  laboratory  concerned  protective  force  and 
personnel  security  issues.  For  these  two  findings,  no  corrective  action 
plans  were  developed,  and  they  were  never  closed.  In  addition,  in  the 
laboratory’s  review  of  OAs  report,  the  laboratory  identified  what  it  thought 
was  an  OA  finding  concerning  nuclear  material  inventories.  However,  this 
was  not  one  of  the  eight  findings  that  OA  made.  As  a  result,  the  Lawrence 
Livermore  National  Laboratory  corrected  and  closed  a  finding  that  OA 
never  made. 

In  its  1999  inspections  at  the  Los  Alamos  National  Laboratory  and  the 
Lawrence  Livermore  National  Laboratory,  OA  changed  its  processes.  The 
inspection  report  clearly  identified  and  numbered  (for  use  in  the 
Safeguards  and  Security  Information  Management  System)  the  findings.  In 
addition,  OA  worked  with  the  laboratories  in  developing  a  corrective  action 
plan  to  assure  that  the  planned  corrective  action  adequately  addressed  the 
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appropriate  issues.  However,  OA  does  not  plan  to  validate  or  verify  the 
corrective  action  and  certify  closure  of  the  findings  because  the  cognizant 
secretarial  offices  and  the  operations  offices  will  continue  to  perform  these 
functions.  OA  conducted  follow-up  reviews  to  evaluate  the  adequacy  of 
corrective  actions  and  associated  closure  documentation.  The  changes  in 
OAs  involvement  in  the  corrective  action  process  were  included  in  an 
August  31, 1999,  protocol  issued  by  the  Deputy  Secretary. 


Safeguards  and 
Security  Ratings 
Are  Inconsistent 


During  a  single  year,  the  Los  Alamos  National  Laboratory  and  Lawrence 
Livermore  National  Laboratory  receive  ratings  on  their  safeguards  and 
security  performance  from  several  sources  that  can  range  from 
“unsatisfactory”  to  “far  exceeds  expectations.”  Safeguards  and  security 
ratings  have  the  potential  to  provide  managers  and  policymakers  with  a 
“report  card”  on  the  effectiveness  of  safeguards  and  security  at  a  given 
facility  and  throughout  the  complex.  In  recent  years,  however,  ratings  have 
provided  conflicting  information  on  the  effectiveness  of  safeguards  and 
security  or,  in  cases  where  the  ratings  were  not  reported,  provided  no 
information  on  the  effectiveness  of  safeguards  and  security. 

Over  the  past  6  years,  the  Los  Alamos  National  Laboratory  and  the 
Lawrence  Livermore  National  Laboratory  each  received  15  safeguards  and 
security  ratings  in  OA  reports,  operations  office  survey  reports,  DOE 
contract  performance  ratings,  and  reports  to  the  President.  The  ratings 
contained  in  OA  and  operations  office  reports  are  based  on  the  inspections 
and  surveys  of  safeguards  and  security  programs  at  the  facilities.  Contract 
performance  ratings  are  based  on  annual  assessments  conducted  by  the 
contractor  and  the  operations  office  of  how  well  a  contractor  met  the 
safeguards  and  security  criteria  contained  in  the  contract.  The  rating 
contained  in  the  annual  report  to  the  President  is  a  composite  rating 
derived  from  reviews  of  information  contained  in  OA  inspections, 
operations  office  surveys,  contractor  self-assessments,  and  other  sources. 
Tables  1  and  2  show  these  ratings  for  the  Los  Alamos  and  the  Lawrence 
Livermore  national  laboratories. 
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Table  1: 

Safeguards  and  Security  Ratings  for  Los  Alamos  National  Laboratory  From  1994  Through  1999 

Year 

OA 

Albuquerque 
Operations  Office 

Safeguards  and 
security  contract 
performance 

Annual  report  to  the 
President 

1994 

No  overall  site  rating 
given® 

Marginal 

Exceeds  expectations 

Marginal 

1995 

Inspection  not  conducted 

Satisfactory 

Far  exceeds  expectations 

Satisfactory 

1996 

Inspection  not  conducted 

Survey  not  conducted 

Far  exceeds  expectations 

Satisfactory 

1997 

No  rating  given 

Marginal 

Meets  expectations 

Report  not  issued^" 

1998 

No  overall  site  rating 
given"" 

Marginal 

Excellent 

Marginal'^ 

1999 

Satisfactory 

Marginal 

To  be  determined 

To  be  determined 

®0A  did  not  give  the  site  an  overall  rating  but  did  provide  eight  ratings  of  specific  safeguards  and 
security  areas.  Three  were  rated  satisfactory,  four  were  marginal,  and  one  was  unsatisfactory. 

‘’Reports  for  1997  and  1998  were  combined. 

‘^OA  did  not  give  the  site  an  overall  rating  but  did  provide  a  “marginal"  rating  for  each  of  the  main 
elements  of  the  laboratory’s  safeguards  and  security  program. 


Table  2: 

Safeguards  and  Security  Ratings  for  Lawrence  Livermore  National  Laboratory  From  1994  Through  1999 

Year 

OA 

Oakland  Operations 
Office 

Safeguards  and 
security  contract 
performance 

Annual  report  to  the 
President 

1994 

Inspection  not  conducted 

Survey  not  conducted 

Excellent 

Satisfactory 

1995 

Inspection  not  conducted 

Satisfactory 

Far  exceeds  expectations 

Satisfactory 

1996 

Inspection  not  conducted 

Satisfactory 

Far  exceeds  expectations 

Marginal 

1997 

No  rating  given 

Satisfactory 

Far  exceeds  expectations 

Report  not  issued® 

1998 

No  rating  given 

Marginal 

Good 

Marginal® 

1999 

Marginal 

Marginal 

To  be  determined 

To  be  determined 

^Reports  for  1997  and  1998  were  combined. 

As  shown  in  these  tables,  the  ratings  assigned  to  safeguards  and  security 
can  vary  widely  during  a  given  year.  For  example,  at  Lawrence  Livermore 
National  Laboratory  in  1996,  the  Oakland  Operations  Office’s  safeguards 
and  security  survey  rated  the  laboratory  as  “satisfactory,”  the  safeguards 
and  security  contract  performance  rating  was  “far  exceeds  expectations," 
and  the  annual  report  to  the  President  assigned  a  “marginal”  rating.  A 
similar  situation  occurred  at  the  Los  Alamos  National  Laboratory  in  1998. 
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In  that  year,  both  the  Albuquerque  Operations  Office’s  safeguards  and 
security  survey  and  the  annual  report  to  the  President  rated  the  laboratory 
as  “marginal,”  while  the  safeguards  and  security  contract  performance 
rating  was  “excellent.” 

This  disparity  occurs  for  several  reasons.  One  reason  is  that  the  purpose 
and  the  criteria  for  the  ratings  are  not  the  same.  In  their  surveys,  the 
operations  offices  use  DOE’s  policies,  procedures,  requirements,  and 
orders  designed  to  protect  classified  information  and  material  to  measure 
the  laboratories’  safeguards  and  security  performance.  The  ratings 
assigned  for  contract  performance  are  based  on  a  different  set  of  criteria, 
which  are  negotiated  between  DOE  and  the  contractors  operating  the 
laboratories.  In  the  past,  the  contract  performance  criteria  have  often  been 
oriented  toward  quantifiable  tasks  that  may  not  have  a  significant  impact 
on  the  effectiveness  of  the  safeguards  and  security  program.  For  example, 
performance  criteria  for  1998  in  the  Los  Alamos  National  Laboratory’s 
contract  included  the  percentage  of  corrective  action  plans  completed  on 
time,  the  number  of  self-assessments  completed,  and  the  percentage  of 
time  that  nuclear  material  is  properly  labeled  and  stored.  The  contract 
performance  criteria  do  not  include  safeguards  and  security  ratings  from 
OA  and  the  Albuquerque  Operations  Office.  In  contrast,  OA’s  and  the 
operations  offices’  inspections  and  surveys  are  based  on  criteria  designed 
to  determine  the  laboratory’s  effectiveness  in  protecting  classified 
information  and  nuclear  material. 

To  some  extent,  another  reason  for  the  disparity  in  the  ratings  can  be  the 
timing  of  the  inspection  or  survey.  For  example,  the  Albuquerque 
Operations  Office  conducted  its  annual  survey  of  the  Los  Alamos  National 
Laboratory  in  May  1999.  This  survey  rated  safeguards  and  security  at  the 
laboratory  as  “marginal.”  OA  conducted  its  1999  inspection  of  safeguards 
and  security  at  the  Los  Alamos  National  Laboratory  in  August  1999  and 
rated  Los  Alamos’  safeguards  and  security  as  “satisfactory,”  noting 
improvements  in  the  program  since  OA’s  1998  inspection  and  the 
operations  office’s  1999  survey.  A  third  explanation  for  the  disparate 
safeguards  and  security  ratings  can  be  the  scope  of  the  reviews  conducted. 
For  example,  in  1996,  the  report  to  the  President  rated  the  Lawrence 
Livermore  National  Laboratory  “marginal,”  while  the  Oakland  Operations 
Office  rated  the  laboratory  “satisfactory.”  However,  the  scope  of  the  report 
to  the  President  included  only  the  performance  of  the  special  response 
team,  while  the  Oakland  Operations  Office  survey  included  all  five  major 
safeguards  and  security  topical  areas. 
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While  several  factors  may  explain  the  disparate  ratings,  the  wide  variance 
in  the  ratings  in  a  single  year  raises  questions  about  the  credibility  of  the 
rating  process.  The  ratings  could  also  provide  government  managers  and 
policymakers  with  distorted  views  of  the  effectiveness  of  safeguards  and 
security  at  the  laboratories  and  could  allow  developing  problems  to  be 
overlooked.  A  logical  assumption  for  a  manager  or  policymaker  would  be 
that  if  an  operating  contractor  is  receiving  ratings  of  “far  exceeds 
expectations”  and  near  maximum  contract  performance  awards  for 
safeguards  and  security,  then  the  safeguards  and  security  program  must  be 
doing  a  good  job  of  meeting  the  requirements  to  protect  classified 
information  and  material.  However,  an  OA  inspection  or  operations  office 
survey  for  the  same  laboratory,  for  the  same  year,  could  reveal  a  marginal 
rating  with  numerous  findings  of  noncompliance  with  safeguards  and 
security  policies  and  requirements. 

DOE  is  working  to  correct  this  situation,  and  the  ratings  given  for  contract 
performance  and  inspections  and  surveys  may  not  be  as  disparate  in  future 
years.  Seventy-five  percent  of  the  contract  performance  ratings  for 
safeguards  and  security  for  the  Los  Alamos  National  Laboratory  and  the 
Lawrence  Livermore  National  Laboratory  for  2000  will  be  based  on  OA’s 
inspection  and  operations  offices’  survey  ratings.  The  remaining  25  percent 
of  the  contract  performance  rating  will  be  based  on  the  laboratories’  ability 
to  produce  corrective  action  plans  within  the  designated  time  frames. 

The  criteria  included  in  the  2000  contract  for  the  Los  Alamos  National 
Laboratory  and  the  Lawrence  Livermore  National  Laboratory  are  unique  to 
these  laboratories  and  can  be  different  from  the  criteria  used  at  other  DOE 
facilities.  For  example,  the  2000  contract  for  DOE’s  Sandia  National 
Laboratory  allows  for  the  consideration  of  OA’s  ratings  in  the  performance 
rating  but  does  not  specify  that  they  have  to  be  considered.  In  addition,  the 
contract  performance  criteria  for  the  Sandia  National  Laboratory  contain 
process-oriented  criteria  such  as  the  completion  of  corrective  action  plan 
milestones  and  the  percentage  of  security  guards  that  can  pass  firearms 
proficiency  tests. 

Operations  office  surveys  are  required  to  be  performed  annually  unless  an 
exemption  is  granted,  and  the  report  to  the  President  is  to  be  an  annual 
summary  of  the  status  of  safeguards  and  security.  There  is  no  requirement 
for  OA  to  perform  annual  inspections  at  the  laboratories:  however,  periodic 
reviews  of  safeguards  are  essential  to  ensure  that  safeguards  and  security 
programs  are  effective.  As  shown  in  tables  1  and  2,  only  the  contract 
performance  ratings  were  completed  in  each  of  the  past  6  years  for  the  Los 
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Conclusions 


Alamos  National  Laboratory  and  the  Lawrence  Livermore  National 
Laboratory.  OA  did  not  conduct  inspections  at  the  Los  Alamos  National 
Laboratory  in  1995  and  1996  and  at  the  Lawrence  Livermore  National 
Laboratory  in  1994, 1995,  and  1996.  OA  did  not  assign  overall  ratings  in  the 
site  profiles  issued  in  1997  and  1998.  The  Albuquerque  Operations  Office 
did  not  assign  a  rating  for  safeguards  and  security  for  the  Los  Alamos 
National  Laboratory  in  1996,  and  the  Oakland  Operations  Office  did  not 
assign  a  safeguards  and  security  rating  for  the  Lawrence  Livermore 
National  Laboratory  in  1994.  Finally,  the  report  to  the  President  was  not 
issued  in  1997  but,  instead,  was  issued  as  a  combined  1997/1998  report. 


The  capability  to  obtain  complete,  accurate  information  on  safeguards  and 
security  findings  is  critical  to  ensure  that  DOE’s  findings  are  corrected  and 
do  not  occur  at  other  DOE  facilities.  DOE’s  information  system,  however,  is 
incomplete,  not  accessible  by  all  security  staff,  and  not  compatible  with 
contractor  information  systems.  Several  safeguards  and  security 
organizations  are  beginning  to  individually  look  at  the  needs  and 
capabilities  of  the  safeguards  and  security  information  system.  However,  in 
our  view,  real  progress  on  this  issue  will  depend  on  a  more  systematic  and 
structured  look  at  the  information  needs  of  all  users  to  maximize  the 
efficiency  and  effectiveness  of  such  a  system. 

Using  tools  like  risk  assessment,  root  cause  analysis,  and  cost-benefit 
analysis  can  aid  in  identifying  why  a  problem  has  occurred,  identifying  the 
best  method  of  correcting  the  problem,  and  ensuring  that  the  problem  does 
not  reoccur.  The  Los  Alamos  National  Laboratory  has  recently  begun  to 
conduct  formal  risk  assessments  and  root  cause  analyses  for  all  findings 
but  is  not  formally  conducting  and  documenting  cost-benefit  analyses.  In 
correcting  the  findings  identified  during  the  safeguards  and  security 
surveys  conducted  by  DOE’s  operations  offices,  the  laboratories  and  the 
operations  offices  coordinate  and  cooperate  in  developing,  validating,  and 
verifying  corrective  actions  and  certifying  closure  of  the  findings.  Until 
1999,  the  Independent  Oversight  Office  was  not  formally  involved  in  the 
corrective  action  process  for  the  problems  found  during  its  inspections.  In 
1999,  the  Independent  Oversight  Office  began  to  work  with  the  laboratories 
during  the  development  of  corrective  action  plans  and  conducted  follow-up 
reviews  of  the  findings  but  still  is  not  required  to  and  does  not  formally 
validate  and  verify  the  corrective  actions  and  certify  closure  of  the  findings. 

Over  the  past  6  years,  managers  and  policymakers  could  have  been  lead  to 
believe  that  the  adequacy  of  security  programs  at  Los  Alamos  and 
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Lawrence  Livermore  national  laboratories  was  anywhere  from  “marginal” 
to  “far  exceeds  expectations,”  depending  on  which  report  and  rating  was 
being  relied  on.  Indications  are  that  some  of  the  conditions  that  led  to  this 
situation  are  present  at  other  DOE  facilities.  A  consistent  approach  to 
rating  safeguards  and  security  activities  is  necessary.  Furthermore,  all 
required  inspections  must  be  performed  to  facilitate  funding  and  policy 
decisions  for  two  reasons:  (1)  to  improve  the  credibility  of  the  safeguards 
and  security  oversight  process  and  (2)  to  ensure  that  problems  are  not 
overlooked  or  that  their  importance  is  minimized.  Increased  attention  to 
performing  required  oversight  because  of  recent  security  breaches  and 
recent  changes  to  the  rating  criteria  for  safeguards  and  security  contract 
performance  for  the  Los  Alamos  and  Lawrence  Livermore  national 
laboratories  are  steps  in  the  right  direction.  Such  attention  must  be 
maintained,  and  rating  criteria  should  be  monitored  to  ensure  adequate 
safeguards  and  security  at  nuclear  facilities  in  the  future. 


R6COmm6ndationS  improve  the  oversight  of  safeguards  and  security  activities  at  DOE’s 

laboratories,  we  recommend  that  the  Secretary  of  Energy  do  the  following: 

•  Require  that  DOE’s  safeguards  and  security  information  system  contain 
the  Independent  Oversight  Office’s  and  operations  offices'  safeguards 
and  security  findings.  To  the  extent  practical,  the  key  findings  of  other 
organizations,  such  as  DOE’s  Inspector  General,  should  be  included. 

•  Provide  for  access  to  the  system  by  DOE’s  area-office  and  laboratory 
safeguards  and  security  staff  with  a  legitimate  need.  Such  access  should 
be  in  accordance  with  DOE’s  security  restrictions. 

•  Require  the  Independent  Oversight  Office  to  verify  and  validate 
correction  of  its  findings  and  continue  its  current  involvement  in 
developing  corrective  actions  for  findings  resulting  from  its  inspections. 
The  Secretary  should  also  make  these  responsibilities  binding  by 
incorporating  them  into  the  DOE  directives  system. 

•  Ensure,  to  the  extent  possible,  that  rating  criteria  used  by  the  various 
safeguards  and  security  oversight  organizations  are  more  consistent  and 
accurately  reflect  the  effectiveness  of  safeguards  and  security  at  all 
DOE’s  nuclear  facilities. 


Agency  Comments  and 
Our  Evaluation 


We  provided  DOE  with  a  draft  of  this  report  for  its  review  and  comment. 
Overall,  DOE  stated  that  the  report  was  objective  and  generally  accurate 
but  noted  a  number  of  areas  where  it  thought  that  clarification  was  needed. 
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Those  areas  related  to  the  closure  of  safeguards  and  security  findings,  the 
safeguards  and  security  information  management  system,  and  the  title  of 
the  report. 

In  commenting  on  our  discussion  of  the  closure  of  safeguards  and  security 
findings,  DOE  stated  that  line  management — in  this  case,  the  operations 
offices — is  responsible  for  ensuring  that  identified  security  deficiencies  are 
adequately  corrected.  It  believes  the  closing  of  findings  is  a  line 
management  function  and  that  OA  is  responsible  for  follow-up  inspections 
when  the  significance  of  the  deficiency  warrants.  It  stated  that  this 
approach  is  consistent  with  what  is  commonly  done  in  government  and 
industry.  Accordingly,  DOE  made  a  number  of  suggested  changes  to  the 
report  to  reflect  this  view. 

We  agree  that  line  management  is  responsible  for  taking  the  necessary 
corrective  actions  to  close  a  finding  and  that  making  decisions  for  follow¬ 
up  inspections  that  are  based  on  the  significance  of  the  deficiency  is 
acceptable.  However,  because  of  the  problems  identified  in  this  report — 
such  as  the  difficulty  in  identifying  findings  and  the  2-  or  3-year  lapse 
between  inspections — we  continue  to  believe  that  OA  should  be 
responsible  for  validating  and  verifying  that  the  corrective  action  taken 
does,  in  fact,  eliminate  the  problem  identified.  Because  OA  is  the  originator 
of  the  finding,  it  is  in  the  best  position  not  only  to  be  involved  in  reviewing 
the  corrective  action  plans,  but  also  to  verify  and  validate  that  the 
corrective  actions  have  been  taken  and  to  ensure  that  the  finding  was 
corrected  to  its  satisfaction.  While  we  acknowledge  that  OA  is  following  up 
on  its  1999  reviews,  this  was  not  done  previously.  After  considering  DOE’s 
comments,  we  added  to  our  recommendations  that  DOE  should 
incorporate  OAs  verification  and  validation  of  corrective  actions  into  the 
DOE  directives  system. 

In  commenting  on  our  description  of  DOE  s  Safeguards  and  Security 
Information  Management  System,  DOE  stated  that  the  report  gave  readers 
a  distorted  impression  of  the  System.  DOE  commented  that  the  report  did 
not  clearly  identify  that  the  Safeguards  and  Security  Information 
Management  System  is  operated  by  the  Office  of  Security  and  Emergency 
Operations.  Although  the  Office  of  Security  and  Emergency  Operations  is 
clearly  identified  as  the  operator  of  the  System  in  the  appropriate  section  of 
the  report,  we  have  added  that  clarification  to  the  Results  in  Brief  section 
as  DOE  suggested.  DOE  also  commented  that  the  report  did  not  recognize 
that  the  System  has  been  capable  of  including  OAs,  GAO’s,  and  the 
Inspector  General’s  findings  since  1988.  We  do  not  dispute  the  System  s 
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capability.  However,  our  focus  was  on  the  System’s  use — what  findings 
were  actually  entered  into  the  System.  Our  recommendations  are  not 
entered  in  the  system,  OA’s  findings  were  not  entered  in  the  System  from 
1995  through  1998,  and  the  Inspector  General’s  recommendations  were  not 
entered  in  the  System  until  late  1999.  Regardless  of  the  System’s 
capabilities,  as  long  as  these  findings  are  not  entered  into  the  System,  DOE 
has  no  centralized  means  to  track  the  findings  and  their  correction.  As  a 
result,  we  did  not  make  DOE’s  suggested  change.  Relatedly,  DOE 
commented  on  our  discussion  of  the  inadequate  access  to  the  Safeguards 
and  Security  Information  Management  System.  DOE  stated  that  it  does  not 
restrict  access  to  the  System.  However,  in  its  comments,  the  Department 
conceded  that  the  configuration  of  the  System  limits  access  to 
headquarters  and  the  operations  offices.  We  believe  this  is  a  significant 
limitation.  We  do  not  advocate  vast  increases  in  the  number  of  personnel 
with  access  to  the  System.  However,  we  believe  that  area  office  and 
national  laboratory  personnel  with  appropriate  clearances  and  a  legitimate 
need  to  use  the  System  should  have  direct  access  to  the  System  to  facilitate 
the  correction  of  safeguards  and  security  problems.  As  a  result,  we  did  not 
make  DOE’s  suggested  change. 

DOE’s  last  major  concern  involved  the  title  of  the  report.  DOE  stated  that 
our  use  of  the  word  “oversight”  in  the  title  could  lead  readers  to  the 
conclusion  that  the  report  was  only  about  OA.  Our  report  clearly  states  that 
we  reviewed  oversight  functions  of  two  organizations — OA  and  the 
operations  offices.  We  agree  that  the  operations  offices  are  the  line 
managers  for  the  laboratories  and  that  their  survey  responsibilities 
constituted  oversight  of  the  security  situation  at  the  laboratories.  We  did 
not  change  the  report’s  title.  DOE  also  provided  a  number  of  technical 
comments  that  we  addressed  as  appropriate.  The  full  text  of  DOE’s 
comments  is  included  in  appendix  I. 


Scope  and 
Methodology 


To  obtain  information  on  the  monitoring  and  tracking  of  findings  resulting 
from  DOE’s  oversight  activities,  we  held  discussions  with  officials  in  DOE’s 
Office  of  Defense  Programs,  Office  of  Independent  Oversight  and 
Performance  Assurance,  and  Albuquerque  and  Oakland  Operations  Offices. 
We  also  held  discussions  with  contractor  officials  at  the  Lawrence 
Livermore  National  Laboratory  and  the  Los  Alamos  National  Laboratory  on 
their  monitoring  and  tracking  of  DOE’s  oversight  findings.  In  addition,  we 
examined  tracking  and  monitoring  reports  from  the  Albuquerque  and 
Oakland  Operations  Office. 
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To  determine  the  consistency  of  safeguards  and  security  ratings,  we 
examined  the  oversight  reports  of  the  Office  of  Independent  Oversight  and 
Performance  Assurance  and  DOE’s  Albuquerque  and  Oakland  Operations 
Offices  as  well  as  the  Lawrence  Livermore  National  Laboratory’s  and  Los 
Alamos  National  Laboratory’s  contractor  performance  ratings. 

To  determine  the  identification,  correction,  validation,  and  closing  of 
findings  resulting  from  DOE’s  oversight  activities,  we  (1)  examined  the 
oversight  reports  of  the  Office  of  Independent  Oversight  and  Performance 
Assurance  and  DOE’s  Albuquerque  and  Oakland  Operations  Offices  and  the 
corrective  action  plans  of  the  Lawrence  Livermore  National  Laboratory  and 
the  Los  Alamos  National  Laboratory  taken  in  response  to  DOE’s  findings 
and  (2)  examined  the  records  documenting  closure  and  validation  of  the 
findings  from  DOE’s  oversight  activities.  We  visited  the  Lawrence 
Livermore  National  Laboratory  and  the  Los  Alamos  National  Laboratory  to 
validate  that  actions  were  taken  to  close  a  sampling  of  oversight  findings. 
These  findings  were  selected  judgmentally  to  provide  a  variety  of  findings 
from  different  sources  and  to  allow  for  the  physical  inspection  of  the 
corrective  action.  Our  work  was  performed  from  June  through  December 
1999  in  accordance  with  generally  accepted  government  auditing 
standards. 


As  arranged  with  your  office,  unless  you  publicly  announce  its  contents 
earlier,  we  plan  no  further  distribution  of  this  report  until  30  days  after  the 
date  of  this  letter.  At  that  time,  we  will  send  copies  of  the  report  to  the 
Honorable  Bill  Richardson,  Secretary  of  Energy,  and  the  Honorable  Jacob 
J.  Lew,  Director,  Office  of  Management  and  Budget.  We  will  make  copies 
available  to  others  on  request. 
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If  you  or  your  staff  have  any  questions  about  this  report,  please  call  me  at 
(202)  512-3841.  Major  contributors  to  this  report  included  William  F.  Fenzel, 
Assistant  Director;  Kenneth  E.  Lightner,  Jr.,  Senior  Evaluator;  Ilene  Pollack, 
Senior  Evaluator;  and  Susan  W.  Irwin,  Senior  Attorney. 

Sincerely  yours. 


(Ms.)  Gary  L.  Jones 
Associate  Director,  Energy, 
Resources,  and  Science  Issues 
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Department  of  Energy 

Washington,  DC  20585 
January  31,2000 


MEMORANDUM  FOR:  Gary  Jones,  Associate  Director 

Energy,  Resources,  and  Science  Issues 
General  Accounting  Office 

FROM:  Glenn  S.  Podonsky,  Director,  OA-1 

SUBJECT:  DEPARTMENT  OF  ENERGY  RESPONSE  TO  GAO  DRAFT 

REPORT  RCED-00-62,  ^TRJCLEAR  SECURITY:  Improvements 
Needed  in  DOE’s  Safeguards  and  Security  Oversight” 

We  want  to  thank  you  for  the  opportunity  to  review  the  January  18,  2000,  draft  of  your  report 
RCED-00-62,  “NUCLEAR  SECURITY:  Improvements  Needed  in  DOE’s  Safeguards  and 
Security  Oversight.”  This  response  reflects  review  by  other  appropriate  organizations  within  the 
Department.  Those  organizations  include:  the  Office  of  Independent  Oversight  and 
Performance  Assurance;  the  Office  of  Defense  Programs,  Office  of  Security  and  Emergency 
Operations,  Office  of  Counterintelligence,  Oakland  Operations  Office;  Albuquerque  Operations 
Office,  Los  Alamos  National  Laboratory  and  Lawrence  Livermore  National  Laboratory. 

Overall,  we  found  the  draft  to  be  objective  and  reasonably  accurate.  However,  we  noted  several 
areas  in  which  the  accuracy  of  the  report  could  be  improved  by  clarifying  points  that  we  believe 
could  mislead  the  reader.  We  therefore  offer  the  following  comments  for  your  consideration. 

We  provide  a  general  discussion  of  each  issue,  and  identify  specific  portions  of  the  draft  report, 
which  we  would  recommend  be  changed  for  clarification  or  increased  accuracy.  We  address 
each  issue  as  points  applicable  to  that  issue  appear  sequentially  through  the  draft  report,  then 
address  the  next  issue  in  the  same  manner,  rather  than  addressing  all  points  as  they  appear 
sequentially  in  the  draft  report.  Many  of  our  comments  on  the  January  1 8, 2000,  draft  have  been 
satisfactorily  addressed  in  your  January  27, 2000,  revision  and  are  not  mentioned  below. 

Closure  of  Findings.  The  draft  report  repeatedly  makes  the  point  that  the  Office  of  Independent 
Oversight  and  Performance  Assurance  does  not  verify  and  validate  corrective  actions  or  formally 
close  findings  we  have  assigned,  implying  that  we  should  be  doing  this. 

Our  mission  is  to  evaluate  the  effectiveness  of  safeguards  and  security,  cyber  security,  and 
emergency  management  policies  and  practices  throughout  the  Department.  DOE  policy  clearly 
places  the  responsibility  for  implementing  those  policies  and  practices  on  line  management  at  all 
levels  within  the  Department,  including  Lead  Program  Secretarial  Officers,  DOE  field  offices 
and  its  contractor  organizations.  Line  managers  have  the  resources,  the  ability,  and  the 
responsibility  to  make  things  happen  at  our  facilities.  This  line  management  responsibility 
includes  insuring  that  identified  security  deficiencies  are  adequately  corrected.  Consequently, 
the  Operations  Office  managers  -  as  the  primary  DOE  line  managers  in  the  field  -  are 
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responsible  for  verifying  the  implementation  of  corrective  actions  and  closing  all  findings  related 
to  deficiencies  at  facilities  or  in  programs  for  which  they  are  responsible. 

The  Operations  Offices,  having  primary  line  management  responsibilities  for  field  operations, 
are  responsible  for  working  with  the  facilities  to  ensure  that  appropriate  corrective  actions  are 
developed  and  for  verifying  that  they  are  effectively  implemented  -  no  matter  what  the  source  of 
the  finding.  Consequently,  they  formally  close  all  findings,  including  those  they  have  identified 
during  their  own  security  surveys  as  well  as  those  identified  by  OA  during  an  independent 
oversight  inspection. 

The  Office  of  Independent  Oversight  and  Performance  Assurance,  having  no  line  management 
authority  or  responsibility,  is  not  the  appropriate  organization  to  perform  this  line  management 
function.  Although  we  do  not  formally  close  findings  we  assign,  it  is  misleading  to  imply  that 
we  now,  or  ever,  merely  issue  findings  and  forget  about  them.  When  the  significance  of 
deficiencies  warrant,  we  conduct  follow-up  inspections  to  determine  whether  corrective  actions 
and/or  other  changes  have  sufficiently  eliminated  the  vulnerability.  If  deficiencies  do  not 
warrant  a  special  follow-iip  inspection,  we  include  as  a  specific  priority  of  our  next  regularly 
scheduled  inspection  of  the  facility  an  evaluation  of  the  adequacy  of  actions  in  response  to  our 
previous  findings.  Therefore,  although  we  do  not  formally  close  findings,  we  do  follow-up  to 
determine  if  the  related  deficiency  has  been  corrected  to  our  satisfaction.  In  the  event  a  finding 
has  been  closed  by  the  Operations  Office  but  we  find  the  problem  still  exists,  we  will  issue  a 
repeat  finding. 

We  believe  that  this  general  distribution  of  responsibilities,  that  makes  line  managers  responsible 
for  correcting  deficiencies  and  ensuring  that  their  corrective  actions  are  effective,  and  m^es 
independent  oversight  responsible  for  periodically  independently  evaluating  program 
effectiveness,  is  a  model  that  is  commonly  found  throughout  government  and  industry.  It  is  also 
consistent  with  our  corporate  approach  in  other  areas,  such  as  the  approach  we  adopted  with  the 
Defense  Nuclear  Facilities  Safety  Board  regarding  responsibilities  for  safety  related  corrective 
actions  and  oversight  at  certain  facilities. 

Consequently,  we  would  recommend  the  following  changes  to  your  draft  report: 

Draft  report,  page  13,  second  paragraph  under  heading  “OA  Did  Not  Validate  or  Certify 
Closure  of  Its  Findings.” 

Change  the  first  sentence  to  read:  "Because  OA  did  not  get  formally  involved  in  the  correction 
of findings,  the  laboratories  were  not  always  aware  of  which  deficiencies  were  considered  of 
greatest  significance  and  rising  to  the  level  of finding.  Consequently  some  findings  were  never 
tracked  and  corrected  and  in  one  instance  a  laboratory  formally  tracked  and  corrected  a 
deficiency  that  OA  considered  a  lower  tier  deficiency. 

Delete  the  last  sentence  (on  page  14)  since  the  laboratories  are  expected  to  correct  all 
deficiencies,  not  just  “findings.” 
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Draft  report,  page  20,  second  paragraph  under  “Conclusions”:  After  mentioning  that  OA 
doe  not  formally  validate  and  verify  the  corrective  actions  and  certify  closure  of  the  findings,  add 
the  phrase  ''which  DOE  views  as  a  responsibility  of  line  management.  " 

Draft  report,  page  21,  under  “Recommendations”:  Replace  the  third  bullet  vi^ith:  "make  the 
current  requirement  for  OA  involvement  in  reviewing  and  commenting  on  corrective  action  plans 
for  findings  resulting  from  its  inspections,  and  in  verifying  the  adequacy  of  corrective  actions 
through  follow-up  inspections  and  other  appropriate  activities  binding  by  incorporating  it  into 
the  DOE  directives  system;  and"  This  identifies  appropriate  action  by  OA  to  ensure  that 
corrective  actions  are  responsive  and  effective  without  usurping  line  management 
responsibilities. 

Findings  Tracking  System.  The  draft  report  gives  the  reader  a  distorted  impression  of  SSIMS 
as  an  incomplete  and  inadequate  safeguards  and  security  tracking  system.  It  is  in  fact  a 
comprehensive  system  for  fulfilling  its  intended  purpose.  While  there  are  clearly  opportunities 
to  enhance  the  system  and  its  utility,  the  report  does  not  provide  the  proper  balance. 

Draft  report,  page  2,  first  sentence:  Wording  in  some  parts  of  the  report  tends  to  give  the  false 
impression  that  the  Safeguards  and  Security  Information  Management  System  (SSIMS)  is 
operated  by  the  Office  of  Independent  Oversight  and  Performance  Assurance.  This  is  not  the 
case.  The  system  is  operated  by  the  Office  of  Security  Affairs  within  the  Office  of  Security  and 
Emergency  Operations.  Recommend  the  following  changes  for  clarification.  For  clarity,  change 
the  first  sentence  to  read:  "The  DOE  Office  of  Security  and  Emergency  Operations  maintains  a 
centralized..." 

Draft  report,  page  7,  paragraph  2,  sentence  6:  SSIMS  has  been  programmed  since  1988  to 
accept  these  reports.  Currently,  five  closed  Office  of  Inspector  General  (IG)  findings  are 
recorded  on  SSIMS.  Guidance  put  out  by  OSS  provided  field  offices  with  the  information  on 
entering  various  forms  of  oversight  reviews  (including  OA,  IG  and  GAO). 

Draft  report,  page  8,  last  paragraph:  The  Office  of  Security  and  Emergency  Operations  does 
not  restrict  SSIMS  access  to  anyone  as  long  as  that  person(s)  has  the  appropriate  “Q”  clearance 
(or  recognized  equivalent),  a  need-to-know,  and  authorization  from  their  respective  Division 
Director.  The  training  and  equipment  costs  associated  with  establishing  access  to  SSIMS  is 
minimal  and  has  never  been  a  deterring  factor  in  granting  anyone  or  any  organization  access  to 
SSIMS.  Any  user  with  access  to  the  system  can  access  all  of  the  information  in  the  database. 

However,  because  of  the  current  system  configuration,  access  to  the  system  is  limited  to  DOE 
Headquarters,  field  offices,  and  their  support  contractors.  Allowing  access  to  the  system  by 
laboratory  employees  would  require  that  the  system  be  compartmented  in  order  to  control  need- 
to-know. 

This  discussion  should  also  explicitly  acknowledge  the  “need-to-know”  concerns  that  must  be 
balanced  with  the  advantages  of  broader  access  to  SSIMS.  It  should  also  mention  that  a  strong 
analysis  and  lessons-leamed  program  to  disseminate  appropriate  information  from  SSIMS  to 
other  sites  could  compensate  for  limited  access  to  SSIMS  by  site  contractors.  Recent  initiatives 
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by  SO  (site  status  briefings  by  S&S  Desk  Officers  and  the  “cross  talk”  program)  are  intended  to 
enhance  lessons-leamed  communications. 

Draft  report,  page  14,  paragraph  1 :  In  the  sentence  “The  draft  report  clearly  identified  and 
numbered  , . insert  the  following  at  the  end  although  the  numbers  did  not  conform  to  the 
numbering  format  in  SSIMS.” 

Miscellaneous  Comments. 

Report  title.  Within  the  DOE  safeguards  and  security  community,  the  term  “oversight”  is 
generally  accepted  to  refer  to  the  activities  of  the  Office  of  Independent  Oversight  and 
Performance  Assurance.  Even  though  the  word  is  used  properly,  in  its  generic  sense,  in  the  draft 
report,  it  will  be  misinterpreted  in  the  DOE.  Most  of  the  concerns  addressed  in  the  draft  report 
are  related  to  line  management  feedback  and  improvement  processes  and  responsibilities,  such  as 
tracking  systems  for  corrective  actions,  corrective  action  analysis,  etc.  Few  of  the  concerns 
relate  to  Independent  Oversight.  However,  the  title  suggests,  and  will  be  interpreted  in  DOE  to 
mean,  that  the  report  is  primarily  about  problems  with  Independent  Oversight.  We  suggest  a 
more  neutral  title,  or  use  of  alternate  wording  for  “oversight.”  For  example,  we  suggest  an 
appropriately  descriptive  title  could  be:  “‘Improvements  Needed  in  DOE ‘s  Safeguards  and 
Security  Feedback  and  Improvement  Process  ““ 


,/€fl«f^5^odonsk^  Director 
Ofjire  of  Independent  Ovepsiglit 
and  Performance  Assurance 


E.  Habiger,  SO-1 

K.  Eberwine,  CN-1 

J.  McDuffie,  CR-2 

L.  Thomas,  DP-44  . 

D.  Speidel,  NN-10 

B.  Lasky,  SC-624 
L.  Kiasnovsky,  OAK 
L.  Raab,  AL 
I.  Pollack,  GAO 

K.  Lightner,  GAO 
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Ordering  Information 


To  Report  Fraud, 
Waste,  or  Abuse  in 
Federal  Programs 


The  first  copy  of  each  GAO  report  is  free.  A^itional  copies  of 
reports  are  $2  each.  A  check  or  money  ord^  should  be  made  out  to 
the^uperintendent  of  Documents.  VISA  ajid  MasterCard  credit 
caroU^  are  accepted,  also. 

Order^or  100  or  more  copies  to  be  m^ied  to  a  single  address  are 
discoui^d  25  percent. 

Orders  byr^ail: 

U.S.  Gener^Accounting  Office 
P.O.  Box  370f  ‘ 

Washington,  20013 


and  G  Sts.  NW) 


rice 


Orders  by  visiting 
Room  1 100 
700  4th  St.  NW  (conil 
U.S.  General  AccountiJ 
Washington,  DC 

Orders  by  phone: 

(202)  512-6000 
fax:  (202)  512-6061 
TDD  (202)  512-2537  , 

Each  day,  GAO  issu#s  a  list  of  nevm  available  reports  and 
testimony.  To  receive  facsimile  copi^  of  the  daily  list  or  any  list 
from  the  past  30  wys,  please  call  (20^  512-6000  using  a  touchtone 
phone.  A  record^  menu  will  provide  iroormation  on  how  to  obtain 
these  lists. 

Orders  bylnt^net: 

For  informatipn  on  how  to  access  GAO  repoB^  on  the  Internet, 
send  an  e-mml  message  with  “info”  in  the  bod^to: 

info@www^ao.gov 

or  visit  Of  AO’s  World  Wide  Web  home  page  at: 
http:,  ww.gao.gov 


tact  one: 


Web  site:  http://www.gao.gov/fraudnet/fraudnet.htm 

e-mail:  fraudnet@gao.gov 

1-800-424-5454  (automated  answering  system) 
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